Certificates used for the mTLS authentication can be generated using certstrap or any other means for generating TLS certificates (openssl, step cli).
We're following the advice of Mozilla of generating one long term root CA certificate with intermediate CA certificates signing the actual client certificates.
If your server and client supports Ed25519 certificates, add --curve=Ed25519 to init and request-cert commands. (Requires compilation CGO_ENABLED=0 go install github.com/square/certstrap@2a55ac3)
Keep these root CA files somewhere safe.
mkdir -p certs
# Create root CA certificate
certstrap --depot-path certs init --common-name "my-rootCA" --expires "10 years" --organization "my Org"This intermediate CA will be used to sign client certificates. It is signed by the rootCA.
# Request and sign intermediate CA certificate
certstrap --depot-path certs request-cert --common-name "my-intermediateCA" --organization "my Org"
certstrap --depot-path certs sign "my-intermediateCA" --CA "my-rootCA" --expires "2 years" --intermediateFinally, certificates that can authenticate, can be signed by the intermediate CA. You can either pre-generate or only sign the .crt files.
# Request and sign final client certificate without passphrase
certstrap --depot-path certs request-cert --common-name "clientA" --organization "my Org" --passphrase ""
certstrap --depot-path certs sign clientA --CA "my-intermediateCA" --expires "1 years"The above method of creating client certificates should be only done for testing purposes. User who should be authenticated should execute the request-cert part, send the resulting .csr file to the CA holder who executes the sign part. Finally the CA holder sends the .crt file back to the user.